Concept and Meaning of Information Security
Information security is ‘the protection of information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities’ and is also ‘essential to maintain the competitive edge, cash-flow, profitability, legal compliance and commercial image’. Information security is the method used to help establish a level of “trust” in electronic information appropriate to the situation i.e. through the implementation of appropriate information security measures, businesses seek to ensure a reasonable level of trust in the accuracy of the identity of the person who created, signed, and/or sent an electronic record, trust that the record has not been altered without authorization, and trust that contents of the record have been and will be kept confidential. Information security is, in the terms of the cliché, a journey, not a destination. ‘Information security’, however, means different things to different people. Information security becomes explicit in the technical domain and the law had to take a position concerning liabilities of information security failures and their significance in legal evaluation of practical situations. The competence of protection against information security risks remains in the way this process is practiced, whether sufficient resources are allocated, whether qualified professionals do their jobs well, and whether management actually cares about the whole issue. Overall information rests on many factors, including various technical safeguards, trustworthy and capable personnel, high degrees of physical security, competent administrative oversight and good operational procedures.
System security is the security of system resources, and the information security is the security of information or data. The security of information has become an end in itself rather just a means for ensuring the security of people and property. Denial, deception, destruction, and exploitation are generally recognized different attack modes.The bad actors who might perpetrate these actions include: hackers, zealots or disgruntled insiders, to satisfy personal agendas; criminals, for personal financial gain, etc.; terrorists or other malevolent groups, to advance their cause; commercial organizations, for industrial espionage or to disrupt competitors; nations, for espionage or economic advantage or as a tool of warfare. Where information-processing systems used to be sparse, confined to well-defined, guarded buildings and so complex that only a few people knew how to handle them, nowadays computers are all-pervasive and often linked over insecure networks, and ever more people know how to operate them. Where physical control used to suffice to protect single computers stored in guarded buildings, networks need a different kind of protection.
Information Security as a Right
Information security has changed or at least is in the process of changing from a technical aid to a legal value. All critical infrastructures are increasingly dependent on the information infrastructure for a variety of information management, communications and control functions. Information security is no longer a mere technical and management issue but has transformed to the principle of law of a fundamental nature. The technological manipulation of information refers, among others, to the integration of information (merging of documents), the repackaging thereof (translations and the integration of textual and graphical formats) and the possible altering of information (changing of photographic images) by electronic means.
Secure identity can exist in the security of information. In the human world, we take advantage of a lifetime of sensory input to help us effectively manage relationships with strangers, friends and family alike; all within the unwritten rules of our community behaviour. In the digital world, organizations are currently far less able to replicate these essential trust models but, through the usage of identity-centric technology, we can help mimic dynamic relationship management and solidify identity assurance and usage.
Different types of messages and transactions require a higher degree of one or all of the services that encryption methods can supply. Military and intelligence agencies are very concerned about keeping information confidential so they would choose encryption mechanisms that provide a high degree of secrecy. Financial institutions care about confidentiality but care more about the integrity of the data being transmitted so the encryption mechanism they would choose may differ from the military’s encryption methods. Legal agencies may care more about the authenticity of messages that they receive. If the information that was received ever needed to be presented in a court of law, its authenticity would certainly be questioned; therefore, the encryption method used should ensure authenticity, which confirms who sent the information.
Methods Establishing Confidentiality of Communications
There are three common methods of gaining confidentiality of communications: physical security, obfuscation, and encryption. Encryption mathematically scrambles the communication so that only the sender and recipient can unscramble and understand the original message. Encryption offers security services namely integrity; authentication, non-repudiation and confidentiality. Strictly speaking, there is some overlap among these areas. Authentication and confidentiality are accompanying aids for supporting information security. From a legal perspective, authentication is perhaps the most important of all of the security services. It guarantees that the originator or recipient of material is the person they claim to be; and confidentiality ensures that data cannot be read by anyone other than the intended recipients. Unlike paper documents, electronic records come with no inherent attributes of integrity. An integrity lock or integrity check is a quantity derived algorithmically from the bits that constitute the information being transmitted or stored and appended to it for the purpose of ensuring that the information received or retrieved is identical to the information being transmitted or stored. Integrity services can guarantee that data has not been accidentally or deliberately corrupted; it assures the recipient that the message from the sender arrived intact. Non-repudiation provides a different type of security. It assures the recipient that the author of a message cannot, at a later time, deny having transmitted the message to the recipient.
Types of Authentication Mechanisms
There are typically three types of authentication mechanisms: Something you know- Passwords; Something you have- IT tokens, mobile or landline phone and something you are- Biometrics (e.g., fingerprints, pronunciation, retinal patterns). A combination of all three makes the authentication a 3 Factor Authentication.
Legal Perspective vis-à-vis Cryptography
Cryptographic issues raise a number of different interests and striking a desirable balance between them becomes difficult. So, countries lie at different stages of developing policies with some countries having vacuum of policy and others having policy on some areas. In the vast majority of countries (both leading industrial countries and for developing countries) cryptography may be freely used, manufactured, and sold without restriction.
Table – 1 : International Agreements on Cryptography
|1.||COCOM (Coordinating Committees for Multilateral Export Controls)
|Eased restrictions on cryptography to allow export of mass-market and public-domain cryptographic software.|
|2.||Wassenaar Arrangement on Export
Controls for Conventional Arms
and Dual-Use Goods and Technologies
|Allows export of mass-market computer software and public domain software and export of all products that use encryption to protect intellectual property (such as copy protection systems).|
A number of countries explicitly reversed their original prohibitive positions on domestic controls recently. In particular, France, which has long restricted encryption, reversed that policy in January 1999 and announced that the public will be able to use encryption without restrictions. In December 1997, Belgium amended its 1994 law to eliminate its provision restricting cryptography. The policy debate continues to focus on secrecy, with civil rights groups saying that crypto is important for freedom and privacy in the electronic age, and governments claiming that good crypto would make law enforcement significantly more difficult by frustrating attempts to gather evidence by means of wiretaps. The real law enforcement problem with cryptography is that prosecutors cannot rely on cryptographic evidence, and in information-based society, this kind of evidence is likely to figure in more and more trials.
World-wide electronic authentication laws have unique features – some of them solely focus on electronic signatures, whereas others have incorporated provisions regarding contract formation etc.
 ISO27002,2005. It renamed ISO 17799 standard.
 Thomas J. Smedinghoff, “The Legal Challenges of Implementing Electronic Transactions” 41(1) Uniform Commercial Code Law Journal (2008) 3.
 Alan Calder & Steve Watkins, International IT Governance: An Executive Guide to ISO 17799/ISO 27001 8 , (Kogan Page Limited, London, 2008).
 Tuomas Pöysti, “ICT and Legal Principles: Sources and Paradigm of Information Law” 48 Scandinavian Studies in Law (2005) 559 at 587.
 Whitfield Diffie and Susan Landau, Privacy on the Line- The politics of wiretapping and encryption 5 (MIT Press, London, 1998).
 Richard O. Hundley and Robert H. Anderson, “Emerging Challenge: Security and Safety in Cyberspace” 232 , In Athena’s Camp: Preparing for Conflict in the Information Age, John Arquilla & David Ronfeldt (eds.) (RAND, 1997).
 J. J. Britz ,“Technology as a Threat to Privacy: Ethical Challenges to the Information Profession” 13 (3-4) Microcomputers for Information Management: Global Internetworking for Libraries, 1996 available at http://web.simmons.edu/~chen/nit/NIT’96/96-025-Britz.html (accessed on 14 May,2018).
 In the case of physical security, the communicator relies on the fact that the attacker will have a very difficult time physically penetrating the communications media or devices, or that it will be too costly for an attacker to do so. In the case of obfuscation, the communicator relies upon the fact that communicated information is so well hidden in some surrounding container that it will be difficult for an attacker to recognize and thus retrieve it. See Kenneth W. Dam and Herbert S. Lin (eds.) Cryptography’s Role in Securing the Information Society 372 (1996).
 Randy V. Sabet , “International Harmonization in Electronic Commerce and Electronic Data Interchange: A Proposed First Step Toward Signing on the Digital Dotted Line” 46 515 The American Universiy Law Review 511 (1996 ) at 515.
 Supra note Thomas J. Smedinghoff ,24.
 Electronic Privacy Information Center , “Cryptography and Liberty – An International Survey of Encryption Policy” 1999 available at http://gilc.org/crypto/crypto-survey.html (accessed on 13th May ,2018) .
 Simson Garfinkel, Web Security, Privacy & Commerce 103, (O’Reilly, Sebastopol, 2001).
 It was created in 1949 The founding members of COCOM were the United States, Belgium, France, Italy, the Netherlands, Luxembourg, and the United Kingdom.
 Established in December 1995 and Headquartered in Vienna . Named after the town in the Netherlands where negotiations were held. It has 33 member countries.
 The country taking the hardest line is France.
 Ross J Anderson , “Crypto in Europe – Markets, Law and Policy”, available at http://www.cl.cam.ac.uk/~rja14/Papers/queensland.pdf (accessed on 28 March,2018).
Image from here